AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Stencil whiteboard component library with optional collaboration and asset-upload providers controlled by host application configuration.
Decision evidence
public snapshot- Runtime includes user-invoked sync/asset network helpers in dist/collection/classes/providers/*.
- Stencil runtime uses bounded lazy dynamic require/import for component entry chunks.
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
- Entrypoints dist/index.cjs.js and dist/index.js only re-export bundled library code.
- Network calls use caller-supplied URLs/headers for collaboration or asset storage; no hardcoded exfiltration endpoint found.
- License manager validates an offline Ed25519 token via WebCrypto and does not contact a server.
- Trojan-source scan found no bidi/invisible control characters in flagged schema.constants files.
- No child_process, shell execution, credential harvesting, destructive filesystem writes, or AI-agent control-surface writes found.
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/index.cjs.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/esm/schema.constants-3oYjlURq.jsView on unpkg · L2602A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cjs/schema.constants-BHr5Bcqs.jsView on unpkg